I have Perl code, which uses a library that in turn uses openssl for
HTTPS connections. I have been trying to use Wireshark to diagnose
this, but I have yet to find a way to have it tell me what steps in
the SSL handshaking are happening at a given time (client hello,
server hello, &c.). Thus, I am having trouble seeing whether the
problem is in my client not doing something right or the server not
doing something right. I have not yet figured out how to have it
export everything in a capture file in plain text so that I could
copy/paste it in a note like this so you could see for yourself what
is happening.
I did get openssl s_client to connect properly, and here is the output
from that (sanitized of the server operator's ID):
ted@linux-jp04:~/Work/Projects/FirstData> openssl s_client -CAfile
server-test.pem -cert client_test.pem -key client_test.key -connect
n.n.n.n:8443
CONNECTED(00000003)
depth=1 C = LV, ST = Latvia, L = Riga, O = xxxxxxxxxxxxxxxxxx, CN =
server-test, emailAddress = webmas...@xxxxxxxxxxxxxxxxxx.xxx
verify return:1
depth=0 C = LV, O = FDL, CN = lv-rtps-proxy-test.ne.1dc.com
verify return:1
---
Certificate chain
0 s:/C=LV/O=FDL/CN=lv-rtps-proxy-test.ne.1dc.com
i:/C=LV/ST=Latvia/L=Riga/O=xxxxxxxxxxxxxxxxxx/CN=server-test/emailAddress=webmas...@xxxxxxxxxxxxxxxxxx.xxx
1
s:/C=LV/ST=Latvia/L=Riga/O=xxxxxxxxxxxxxxxxxx/CN=server-test/emailAddress=webmas...@xxxxxxxxxxxxxxxxxx.xxx
i:/C=LV/ST=Latvia/L=Riga/O=xxxxxxxxxxxxxxxxxx/CN=server-test/emailAddress=webmas...@xxxxxxxxxxxxxxxxxx.xxx
---
Server certificate
-----BEGIN CERTIFICATE-----
DELETED
-----END CERTIFICATE-----
subject=/C=LV/O=FDL/CN=lv-rtps-proxy-test.ne.1dc.com
issuer=/C=LV/ST=Latvia/L=Riga/O=xxxxxxxxxxxxxxxxxx/CN=server-test/emailAddress=webmas...@xxxxxxxxxxxxxxxxxx.xxx
---
Acceptable client certificate CA names
/C=LV/ST=Latvia/L=Riga/O=xxxxxxxxxxxxxxxxxx/CN=server-test/emailAddress=webmas...@xxxxxxxxxxxxxxxxxx.xxx
/C=LV/O=FDL/CN=lv-rtps-proxy-test.ne.1dc.com
---
SSL handshake has read 3690 bytes and written 3700 bytes
---
New, TLSv1/SSLv3, Cipher is EDH-RSA-DES-CBC3-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : EDH-RSA-DES-CBC3-SHA
Session-ID: 53E0DE54D7D7E928F177883E10447786C15133386DA3F0489796845673C70DEA
Session-ID-ctx:
Master-Key: DELETED
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1407245906
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
closed
ted@linux-jp04:~/Work/Projects/FirstData>
Now, here is the output I get from my Perl client (also sanitized):
$url = https://n.n.n.n:8443/
$scheme = https
$self->{ssl_set} = 0
$self->{ca_cert_dir} = .
$self->{ca_cert_file} = server-test.pem
$LWP::VERSION = 6.05
Setting cert dir and file if available
$self->{ssl_set} = 1
DEBUG: .../IO/Socket/SSL.pm:2503: new ctx 26349088
DEBUG: .../IO/Socket/SSL.pm:526: socket not yet connected
DEBUG: .../IO/Socket/SSL.pm:528: socket connected
DEBUG: .../IO/Socket/SSL.pm:550: ssl handshake not started
DEBUG: .../IO/Socket/SSL.pm:586: not using SNI because hostname is unknown
DEBUG: .../IO/Socket/SSL.pm:634: set socket to non-blocking to enforce
timeout=180
DEBUG: .../IO/Socket/SSL.pm:647: Net::SSLeay::connect -> -1
DEBUG: .../IO/Socket/SSL.pm:657: ssl handshake in progress
DEBUG: .../IO/Socket/SSL.pm:667: waiting for fd to become ready: SSL
wants a read first
DEBUG: .../IO/Socket/SSL.pm:687: socket ready, retrying connect
DEBUG: .../IO/Socket/SSL.pm:647: Net::SSLeay::connect -> -1
DEBUG: .../IO/Socket/SSL.pm:657: ssl handshake in progress
DEBUG: .../IO/Socket/SSL.pm:667: waiting for fd to become ready: SSL
wants a read first
DEBUG: .../IO/Socket/SSL.pm:687: socket ready, retrying connect
DEBUG: .../IO/Socket/SSL.pm:647: Net::SSLeay::connect -> -1
DEBUG: .../IO/Socket/SSL.pm:657: ssl handshake in progress
DEBUG: .../IO/Socket/SSL.pm:667: waiting for fd to become ready: SSL
wants a read first
DEBUG: .../IO/Socket/SSL.pm:687: socket ready, retrying connect
DEBUG: .../IO/Socket/SSL.pm:2384: ok=1 cert=26317968
DEBUG: .../IO/Socket/SSL.pm:2384: ok=1 cert=26323136
DEBUG: .../IO/Socket/SSL.pm:1539: scheme=www cert=26323136
DEBUG: .../IO/Socket/SSL.pm:1549: identity=n.n.n.n
cn=lv-rtps-proxy-test.ne.1dc.com alt=
DEBUG: .../IO/Socket/SSL.pm:647: Net::SSLeay::connect -> -1
DEBUG: .../IO/Socket/SSL.pm:1757: SSL connect attempt failed
DEBUG: .../IO/Socket/SSL.pm:653: fatal SSL error: SSL connect attempt
failed error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
DEBUG: .../IO/Socket/SSL.pm:2537: free ctx 26349088 open=26349088
DEBUG: .../IO/Socket/SSL.pm:2542: free ctx 26349088 callback
DEBUG: .../IO/Socket/SSL.pm:2549: OK free ctx 26349088
2014/08/05 10:03:05> [http client] communication error: 500 Can't
connect to n.n.n.n:8443 (certificate verify failed)
500 Can't connect to n.n.n.n:8443 (certificate verify failed)
ted@linux-jp04:~/Work/Projects/FirstData>
The error "SSL routines:SSL3_GET_SERVER_CERTIFICATE" seems self
explanatory, but what I can't figure out is why communication happens
properly when I use openssl s_client, with the CA authority cert and
the client side cert and key, but I can't successfully get the server
cert, even though my perl code provides the same information,
ultimately to openssl library code.
I can post my Perl code, if there is someone in this forum who knows
Perl, and especially the libraries used to handle HTTPS communications
(and how to get better debugging information from them - I have
IO::SOCKET::SSL DEBUG variable set to 3, which is the highest debug
level available, providing the most information, available, according
to the docs).
I would appreciate advice on the best way of using Wireshark to
provide useful, actionable information; or advice on how to provide
the Wireshark logs to you in a way that is useful to you in helping me
debug this. I have the CA root cert, used to sign both the server's
cert and the client cert, and obviously, I have both the client's key
and cert, if any of these files can be used to help Wireshark provide
more useful information; but I have no idea how to tell Wireshark to
use them, if in fact using them would be useful (I started working
with Wireshark this past Friday).
Thanks
Ted
--
R.E.(Ted) Byers, Ph.D.,Ed.D.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
